In the first four months of 2016, we have discovered new families and variants of ransomware, seen their vicious new routines, and witnessed threat actors behind these operations upping the ransomware game to new heights. All these developments further establish crypto-ransomware as a lucrative cybercriminal enterprise. As we predicted, this year is indeed shaping up to be the year of online extortion, and while the security industry may be doing an admirable job of keeping up with the latest new tactic and providing solutions, the not-so informed public and organizations may very well be on the receiving end of a crippling malware that can destroy personal and corporate files, as well as lead to huge financial losses.
Stepping into new territories
This February, Hollywood Presbyterian Medical Center was hit hard with Locky ransomware, which impacted the facility’s emergency rooms. The said establishment paid a ransom amounting to $17,000 just to decrypt the files. Soon after, the Methodist Hospital in Henderson, Kentucky was hit with Locky, preventing access to their patient files. These two examples had lives on the line but seemed like they were specifically targeted and given a purposely large ransom to dish out.
The next stage of crypto-ransomware
Even the basics of crypto-ransomware itself is evolving. Cybercriminals are exploring new ways to make attacks personal in an attempt to get inside the victim’s head. And this is just superficial. In terms of routines, these crypto-ransomware are getting more creative by using macros and scripts, displaying professional-looking pages, or by adding new functions to put more pressure to their victims such as modifying a computer’s master boot record, crossing networks, and crossing platforms as well. Other actors previously known to spread different types of threats (e.g. online banking malware) seem to have joined the crypto-ransomware bandwagon, too. This appears to be the case for DRIDEX spam campaigns which have distinct similarities to that of LOCKY’s.
Here are some noteworthy threats that have stood out in the first quarter of 2016:
- KeRanger becomes the first ransomware that successfully target Mac OS
- MAKTUBLOCKER sends targets email messages that contain the users’ full names and mailing addresses in order to appear legitimate and further convince these users into downloading this crypto-ransomware
- SAMAS/SAMSAM encrypts files across networks,by looking for and attacking systems running vulnerable JBoss servers
- CERBER adds a ‘voice’ capability to verbally move users into paying the ransom
- PowerWare abuses Windows PowerShell in order to leave as little trace of infection as possible
- PETYA overwrites an affected system’s master boot record and locks users out
- JIGSAW copies all the user’s files, deletes the original ones, and destroys the copies incrementally
Figure 2. Crypto-ransomware variants display various images (clockwise from top left): Keranger, Petya, Jigsaw, and PowerWare
We have already mentioned notable ransomware cases that attacked health organizations. And health organizations are often easy targets because they lack security provision that can handle cyber threats. If we follow the money, the next targets may very well be other businesses and organizations that also do not have sophisticated cybersecurity and do not create backups of their extremely crucial data.
Imagine if one Wall Street bank was hit with ransomware. How much clientele data would be lost? We believe that some threat actors will switch from the shotgun approach and proceed with targeting companies that rely heavily on their corporate data, and proceed from there. Of course, many will still try to target home users for a more sustained flow of dirty money. In our previous CTO Insights interview with Trend Micro CTO Raimund Genes, viewers are told that paying ransom only fuels cybercrime. “If all your data is encrypted, if the only way to get the data back is paying the bad guys, I understand. But is it good? No.”
An inevitable stop
Preventing ransomware may be difficult, but the avenues of backing up data are already available. From hard drives to cloud based backups, the right mindset and knowing how to mitigate the effects of ransomware.
These aren’t temporary solutions. When damages are minimized and users save themselves from paying for ransom or losing files permanently, it works. And we strongly encourage users/employees, as well as enterprises, to follow our basic 3-2-1 rule for backing up data.
As far as Internet etiquette goes, users should not open any attached files sent by unknown users. Make sure the sites visited are https, or use bookmarks for regularly visited sites. Always update the latest version of OS or software if they are available, and avoid downloading from pop-up ads.
As crypto-ransomware is now being used to cripple organizations, IT administrators should treat this threat not just as a per-individual case, but as a problem of the whole organization. Proper briefing on Internet safety and security for employees is strongly advised. Data should also be categorized and stored accordingly. Highly classified data should be stored separately and should have limited access. IT Admins should also make sure that systems have updated software and OS to prevent threats that anchor on vulnerabilities.
As there are ways for ransomware to infect a computer, different solutions are offered by Trend Micro to protect individual customers and networks. These include holistic approach in the web, email, and file reputation, application white listing, as well as exploit prevention.
Trend Micro™ Security, Trend Micro™ Smart Protection Suites, and Trend Micro Worry-Free™ Business Security can protect users and organizations from this threat by detecting malicious files, and email messages before they can infect any system or perform further damage. This solution can also block all related malicious URLs that may contain or spread ransomware. Systems with Trend Micro™ Smart Protection Suites are also protected from this threat via Trend Micro Endpoint Application Control.
Let’s think about crypto-ransomware as a cybercriminal enterprise; it has established players, start-ups, and all of them thrive on the responsiveness of their targets. Its behavior follows how we respond to the threat. If we keep fueling cybercrime, the more it will grow. Cut off its supply and attackers will look for new ways to get what they want.
To stop this cybercrime enterprise, organizations and individuals must be able to face this threat prepared. If not, have the proper security to avoid and prevent being a victim altogether.
With additional insights from Anthony Melgarejo, Joselito dela Cruz, and Marvin Cruz